xworm

General

Target

krampus.zip
Size

263KB
Sample

240427-ns52kahf76
MD5

ae1de090714d6d4a4cd848dbbe057404
SHA1

d632f84ec7896e36efc5e824f9d9075ab82884f6
SHA256

ccd54a983fb9a6c4dad13f51f549712c80dd082dd984292137640d14bfe44bf9
SHA512

deecf7e8569382ae4a08cbdb028ab871bfb060a4ddb9b6d10138f41116b005fcf2090b00b26faeb61fe477f7c65bbf1970e638cc26ff31845a962c65cfc680d9
SSDEEP

6144:7Jem5K8LMK4wwr3zIIEBBNfNgFGaUX6mGPTTLtAyZ0KlIS5:9Z5Kw/wrj1wfxZsTLtwk5

Score

10^/10

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP

Targets

- Target
  
  krampus.zip
- Size
  
  263KB
- MD5
  
  ae1de090714d6d4a4cd848dbbe057404
- SHA1
  
  d632f84ec7896e36efc5e824f9d9075ab82884f6
- SHA256
  
  ccd54a983fb9a6c4dad13f51f549712c80dd082dd984292137640d14bfe44bf9
- SHA512
  
  deecf7e8569382ae4a08cbdb028ab871bfb060a4ddb9b6d10138f41116b005fcf2090b00b26faeb61fe477f7c65bbf1970e638cc26ff31845a962c65cfc680d9
- SSDEEP
  
  6144:7Jem5K8LMK4wwr3zIIEBBNfNgFGaUX6mGPTTLtAyZ0KlIS5:9Z5Kw/wrj1wfxZsTLtwk5
Score

10^/10

xworm persistence rat trojan upx
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1
- Target
  
  Ro-exec/READ ME (ro-exec).txt
- Size
  
  1KB
- MD5
  
  1f9c507519361f7b7cc8fc3d66212a68
- SHA1
  
  6119fef9df683505e941aeb6ea425c4247d388b7
- SHA256
  
  6b8772efbde31f7905ea54ddf51e4d8e3cb7ea49763215fa8cab88357885d9ff
- SHA512
  
  c0193bd5e43650fe5fed86ebe6329c903e5c820629826447c033d2b561ccca9f912a1663d8379d9cbb732691b4c65160f6a3d4eff996f6fff86d0ea41b7c3922
Score

3^/10
behavioral2
- Target
  
  Ro-exec/ezdebug.png
- Size
  
  49KB
- MD5
  
  654dfa5c392f08728a7acc79587ecdd1
- SHA1
  
  56a1abc7ac86e7275c8fac870700417d724c66ea
- SHA256
  
  65792581029de7e992a20f67e1ebca3031c258e743f0f6f0f29d60f880573c32
- SHA512
  
  2c30c6972686a03e6c5fc89a024eaf3ceeb81b1fd8c19e2f8c652effa4e1e0e7171dfe1d17f95ad2e623ce5dfd80242489ffb3294f1928382ebae41ce764abb7
- SSDEEP
  
  1536:kNfMc6jr372U55shDVmWcEaOH5UWRxrL5PYpBv:kNf67glVmWcz+7RxZYpR
Score

3^/10
behavioral3
- Target
  
  Ro-exec/loader-upd.bat
- Size
  
  295KB
- MD5
  
  e0b1638feea307a3afbeacaec7fd506c
- SHA1
  
  16d849c8f90412a612e1fc0eed6e406f076d4099
- SHA256
  
  34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e
- SHA512
  
  795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e
- SSDEEP
  
  6144:yll7goJPFab7YvftLMYUQK4UHF8WkA0dXTwxl:MlnabilLMYHbTDlSl
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral4